1 Answer
- Newest
- Most votes
- Most comments
1
Hi Vignesh, though we sometimes do document what is not possible, I'm not aware of a document that would explain why you cannot connect directly to RDS using SSM. So let me resort to a more generic answer:
SSM allows many more functions - and changes! - to an instance than just connecting to it. Having full SSM functionality on an RDS instance thus would undermine the Shared Responsibility Model we use for RDS (you could also say: it would violate the "Black Box" principle of RDS). Therefore, you need an intermediary instance that forwards the TCP Port exposed by RDS to your local machine.
Further reading:
- The RDS-specific Shared Responsibility Model is explaine in "Security in Amazon RDS"
- Our general overview of the Shared Responsibility Model
- In case you don't know already, the EC2 instance can be in a private subnet, too, as explained here: Securely connect to an Amazon RDS or Amazon EC2 database instance remotely with your preferred GUI
If this helped you, kindly mark my answer as "accepted". Kind regards, Uwe
answered 2 years ago
Relevant content
- Accepted Answerasked a year ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 9 months ago
Thank you for your response. Could you please briefly tell me about the "Black Box" principle of RDS? @Uwe
Though "Black Box" is not official AWS wording, I used it to describe the fact that RDS as a managed system isn't as open to connect to or apply changes (e.g. OS Kernel settings) as a custom install on EC2 would be. It's because of the responsibility AWS takes for RDS's availability and security that some functionality you'd have on a self-managed database server isn't available to you on RDS. Or, in other words: you get a certain service, but the way this service is configured and managed isn't published in detail (and may be changing over time). HTH, Uwe
Thanks, @Uwe. That's a great explanation. Much appreciated
@Uwe I have another question related to this connecting from the docker container. Please share if you have any docs any ideas https://repost.aws/questions/QUGuUewImyTiabU7R946zD9w/from-docker-container-need-to-connect-rds-using-session-manager